network attacks cs432 - security in computing copyright © 2005, 2010 by scott orr and the trustees...
Post on 17-Jan-2016
213 Views
Preview:
TRANSCRIPT
Network AttacksNetwork Attacks
CS432 - Security in Computing
Copyright © 2005, 2010 by Scott Orr and the Trustees of Indiana University
ReferencesReferences
Security in Computing, 4Security in Computing, 4thth Ed. Ed. Chapter 7 (pgs. 408-440)Chapter 7 (pgs. 408-440)
Section OverviewSection Overview
Anatomy of an AttackAnatomy of an Attack
Denial of Service AttacksDenial of Service Attacks
Packet SniffingPacket Sniffing
Service AttacksService Attacks
Spoofing AttacksSpoofing Attacks
Why are Networks Why are Networks Vulnerable?Vulnerable?
Reliance on shared resourcesReliance on shared resources System ComplexitySystem Complexity Unknown perimeterUnknown perimeter Many points of attackMany points of attack Attacker anonymityAttacker anonymity Multiple paths to hostsMultiple paths to hosts
Anatomy of an AttackAnatomy of an AttackFootprintingFootprinting
Gaining AccessGaining Access
PilferingPilfering
Escalating PrivilegeEscalating Privilege
Source: Source: Hacking Exposed: Network Security: Secrets and SolutionsHacking Exposed: Network Security: Secrets and Solutions, , by S. McClure, J. Scambray, and G. Kurtzby S. McClure, J. Scambray, and G. Kurtz
ScanningScanning
EnumerationEnumeration
Denial of ServiceDenial of Service
Covering TracksCovering Tracks
Creating Back DoorsCreating Back Doors
Denial of Service AttacksDenial of Service Attacks
ICMP RedirectsICMP Redirects SYN FloodingSYN Flooding Smurf AttacksSmurf Attacks Service BombingService Bombing
FTPFTP FingerFinger
Mail BombingMail Bombing Service BugsService Bugs
Ping o’ DeathPing o’ Death WinNukeWinNuke
TeardropTeardrop Distributed DoSDistributed DoS
Targets may be UpstreamTargets may be Upstream
SYN Flood AttackSYN Flood Attack
SYN(C, ISNSYN(C, ISNcc))
SYN(S, ISNSYN(S, ISNss) ACK(C, ISN) ACK(C, ISNcc))
Server never gets ACKs to its SYN Server never gets ACKs to its SYN Half Open ConnectionsHalf Open Connections
ClientClient
ServerServer
SYN(C, ISNSYN(C, ISNcc))
SYN(C, ISNSYN(C, ISNcc))
SYN(C, ISNSYN(C, ISNcc))
SYN(S, ISNSYN(S, ISNss) ACK(C, ISN) ACK(C, ISNcc))
SYN(S, ISNSYN(S, ISNss) ACK(C, ISN) ACK(C, ISNcc))
SYN(S, ISNSYN(S, ISNss) ACK(C, ISN) ACK(C, ISNcc))
IP Address SpoofingIP Address Spoofing
Replace actual source address in IP Replace actual source address in IP packetspackets
Prevent packets from being traced Prevent packets from being traced backback
Exploit IP address-based trust Exploit IP address-based trust relationshipsrelationships
Smurf AttacksSmurf AttacksPing 10.1.1.255Ping 10.1.1.255Spoof source: 192.168.1.7Spoof source: 192.168.1.7
192.168.1.7192.168.1.7
10.1.1.0/24 Network10.1.1.0/24 Network
AttackerAttacker172.21.0.35172.21.0.35
Distributed DoS AttacksDistributed DoS Attacks
VictimVictim
IntruderIntruder
Source: Results of the Distributed Intruder Tools Workshop
MasterMasterMasterMasterMasterMaster
ZZ ZZ ZZ ZZZZ ZZ ZZ ZZ
Impersonation AttacksImpersonation Attacks
Social EngineeringSocial Engineering Cracked PasswordsCracked Passwords Stolen PasswordsStolen Passwords
SniffedSniffed PhishingPhishing
Berkeley Berkeley RR-Commands-Commands
Packet SniffingPacket Sniffing
Promiscuous modePromiscuous mode See every packet as it crossed the See every packet as it crossed the
networknetwork TransparentTransparent
Capture account passwordsCapture account passwords Read emailRead email Analyze network trafficAnalyze network traffic
Network Hubs vs. SwitchesNetwork Hubs vs. Switches
HubHub SwitchSwitch
Everyone can see trafficEveryone can see traffic Virtual circuit between pairVirtual circuit between pair
Switch AttacksSwitch Attacks
MAC Flooding – switch will act like MAC Flooding – switch will act like hubhub
ARP SpoofingARP Spoofing Who is 10.0.0.1?Who is 10.0.0.1?
10.0.0.110.0.0.1 10.0.0.210.0.0.2 10.0.0.310.0.0.3 10.0.0.410.0.0.4
I am (1:2:3:7:8:9)I am (1:2:3:7:8:9)
Wireless NetworkingWireless Networking
Bandwidth (shared)Bandwidth (shared) 802.11b – 11Mbps 802.11b – 11Mbps 802.11g – 54Mbps802.11g – 54Mbps 802.11n – 600Mbps (coming soon!)802.11n – 600Mbps (coming soon!)
ModesModes Ad Hoc (Hosts talk directly to each other)Ad Hoc (Hosts talk directly to each other) Infrastructure (uses Access Points)Infrastructure (uses Access Points)
Identified by Set Server ID (SSID) namesIdentified by Set Server ID (SSID) names
Infrastructure ModelInfrastructure Model
InternetInternet
SSID BroadcastsSSID Broadcasts
SSID: linksys
SSID: belkin54g
SSID: Cisco
Default SSIDsDefault SSIDs
Wireless Network Access Wireless Network Access ControlControl
Only allow known systems to connectOnly allow known systems to connect Every wireless NIC has a unique Every wireless NIC has a unique
addressaddress Known as the MAC addressKnown as the MAC address Assigned by vendorAssigned by vendor BSSID: MAC address of Access PointBSSID: MAC address of Access Point
Access Control ListAccess Control List MAC Spoofing?MAC Spoofing?
Wardriving
450ft = 40 houses, 4 streets450ft = 40 houses, 4 streets
High Power Mode
150ft = 6 Houses, 1 street150ft = 6 Houses, 1 street
Low Power Mode
WEP AuthenticationWEP Authentication
Request to ConnectRequest to Connect
Challenge PlaintextChallenge Plaintext
PlaintextPlaintext
Access GrantedAccess Granted
WEPWEPKeyKey
WEPWEPKeyKey
WEP FrameWEP Frame
MessageMessage CRCCRC
Keystream = RC4 (IV, ) Keystream = RC4 (IV, )
IVIV IDID CiphertextCiphertext
WEP AttacksWEP Attacks
Initial connection sniffingInitial connection sniffing IV ReuseIV Reuse
Look for IV collisionsLook for IV collisions Some APs reset IV to 0 each time system Some APs reset IV to 0 each time system
is (re)initializedis (re)initialized IV Dictionary AttacksIV Dictionary Attacks
Injection attacks with known plaintextInjection attacks with known plaintext Wi-fi Protected Access / 802.11iWi-fi Protected Access / 802.11i
IV Reuse OccurrencesIV Reuse Occurrences
1% after 582 encrypted frames1% after 582 encrypted frames 10% after 1,881 encrypted frames10% after 1,881 encrypted frames 50% after 4,823 encrypted frames50% after 4,823 encrypted frames 99% after 12,430 encrypted frames99% after 12,430 encrypted frames
Jesse R. WalkerIEEE P802.11 Wireless LANS: Unsafe at any key size
Replay AttacksReplay Attacks
ARP RequestARP Request
ARPARPRequestRequest
FMS AttackFMS Attack
Scott Fluhrer, Itsik Mantin, Adi Scott Fluhrer, Itsik Mantin, Adi ShamirShamir
RC4 Matrix Initialization WeaknessRC4 Matrix Initialization Weakness If a key is weak, keystream will If a key is weak, keystream will
contain some portions of key more contain some portions of key more than other combinationsthan other combinations
Statistical Analysis to findStatistical Analysis to find
TATA TSCTSC
Temporal Key Integrity Temporal Key Integrity Protocol Protocol
Base KeyBase Key
Keystream = RC4 (IV,PK) Keystream = RC4 (IV,PK)
CiphertextCiphertext
MessageMessage CRCCRC
Dictionary Attacks?Dictionary Attacks?
Token-based Login Race AttackToken-based Login Race Attack
Login:
scott
Password:
Login:
scott
Password:
Guesses lastnumber andenters it beforeScott can finish.
42356
423569
Resource SharingResource Sharing
May not need account to access filesMay not need account to access files Microsoft SharesMicrosoft Shares
Guest SharesGuest Shares AccountsAccounts
NFS Exports NFS Exports SambaSamba
Service ExploitsService Exploits
Banner Grabbing/Vulnerability Banner Grabbing/Vulnerability ScannersScanners
Stack/Buffer OverflowStack/Buffer Overflow BackdoorsBackdoors File Transfer ProgramsFile Transfer Programs
Anonymous FTPAnonymous FTP TFTPTFTP
FTP BouncesFTP Bounces
FTP BouncesFTP Bounces
UploadCommands
File
PORTaddress, port
RETR file
Attacker Anonymous FTP Serverwith upload area
Target Host
Trusted Hosts increase threat!!!Trusted Hosts increase threat!!!
CGI / Server Side IncludesCGI / Server Side Includes
Extends capabilities of web serverExtends capabilities of web server External programs loaded by serverExternal programs loaded by server Form processingForm processing Dynamically created pagesDynamically created pages
Runs with same access as web serverRuns with same access as web server Susceptible to bugs and access Susceptible to bugs and access
exploitsexploits User script dangersUser script dangers
DNS SpoofingDNS Spoofing
DNS/ARP Cache PoisoningDNS/ARP Cache Poisoning PharmingPharming Trust-based access to other machinesTrust-based access to other machines
Berkeley Berkeley R R CommandsCommands Remote File systems (NFS/SMB)Remote File systems (NFS/SMB) Web Site PhishingWeb Site Phishing
DNSSECDNSSEC
Man in the Middle AttackMan in the Middle Attack
Buy New CDBuy New CD
Source Routing AttacksSource Routing Attacks
Trusted HostTrusted Host
Trusted HostTrusted Host
AttackerAttacker
DoS Trusted HostDoS Trusted HostAddress set to Address set to Trusted HostTrusted Host(IP Spoofing)(IP Spoofing)
Source routedSource routedresponseresponse
Source routedSource routedconnection requestconnection request
RRRR
RRRR
RRRR
RRRR
Session HijackingSession Hijacking
Attacker watches live sessions to record Attacker watches live sessions to record sequence numberssequence numbers
User HostUser Host Destination HostDestination Host
AttackerAttacker
Attacker DoS’s User Host and IP spoofs Attacker DoS’s User Host and IP spoofs packets to Destination using User Host’s packets to Destination using User Host’s sequence numberssequence numbers Destination continues session as if nothing Destination continues session as if nothing happenedhappened
TCP Sequence GuessingTCP Sequence Guessing
Attacker DoS’s Trusted HostAttacker DoS’s Trusted Host
Trusted HostTrusted Host TargetTarget
AttackerAttacker
Attacker attempts to connect Attacker attempts to connect to target many times and to target many times and records sequence numbersrecords sequence numbers
Attacker Attacker calculates calculates sequence sequence numbers which will be numbers which will be assigned for next connection.assigned for next connection. RouterRouter
Attacker Attacker spoofsspoofs address of address of trusted host and uses trusted host and uses calculated sequence numbers calculated sequence numbers (router passes trusted (router passes trusted internal addressinternal address Target runs command from Target runs command from spoofedspoofed trusted host trusted host
top related